RtkAudUService64[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

RtkAudUService64.exe
Size

836KB
MD5

b8d8df66e0f378172c1ad01dd551874c
SHA1

51772f0917cdf6c23b88639e480a55afdf01e7f8
SHA256

e1cd0f189e77beaa7d18834d2ede59aa10fbb97465daebe32de2dc347494149b
SHA512

59273dad082a47df879421af3685baa58b0a942d87c9a97d3cd94e0fc59c96df663fcfb6c1762e6a7be5a5898ec34023126a54f430a84a7bea8ea6202a572a19
SSDEEP

12288:8EJh59Gi4SWWmnASZ3zTgoHUAnoiMj77CiW7ePF0Yp+Pfhv6jqJ:8WhXGqWWmdzTgrAqyiyDfh6qJ

Score

1^/10

Malware Config

Signatures

Files

RtkAudUService64.exe
.exe windows:6 windows x64 arch:x64

a8395452123ba24352fb5f4517ada7d3

Code Sign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:94:73:e0:01:50:bc:5e:b4:7f:29:a1:0d:cc:dd:bd
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

26/12/2018, 00:00

Not After

15/09/2020, 12:00

Subject

SERIALNUMBER=22671299,CN=Realtek Semiconductor Corp.,O=Realtek Semiconductor Corp.,L=HSINCHU,C=TW,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13025457

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

04/01/2017, 00:00

Not After

18/01/2028, 00:00

Subject

CN=DigiCert SHA2 Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:85:7f:83:dc:2a:6c:a9:79:b8:00:00:00:00:00:85
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/06/2019, 18:06

Not After

03/06/2020, 18:06

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1
Signer

Actual PE Digest

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1

Digest Algorithm

sha256

PE Digest Matches

true

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1
Signer

Actual PE Digest

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\Chunyung\source\repos\RtkAudUService\Release\x64\RtkAudUService64.pdb

Imports

oleaut32

LPSAFEARRAY_UserUnmarshal64
LPSAFEARRAY_UserMarshal
BSTR_UserMarshal
BSTR_UserSize64
LPSAFEARRAY_UserSize64
BSTR_UserMarshal64
BSTR_UserUnmarshal
LPSAFEARRAY_UserMarshal64
LPSAFEARRAY_UserFree64
LPSAFEARRAY_UserUnmarshal
LPSAFEARRAY_UserFree
BSTR_UserUnmarshal64
LPSAFEARRAY_UserSize
VariantCopy
BSTR_UserFree
BSTR_UserFree64
BSTR_UserSize
SysAllocStringLen
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayPutElement
SafeArrayCreateVector
VariantClear
VariantInit
SysFreeString
SysAllocString

rpcrt4

RpcEpRegisterW
RpcServerListen
RpcServerUnregisterIf
RpcEpUnregister
RpcBindingVectorFree
RpcServerRegisterIf3
NdrServerCall2
RpcServerUseProtseqEpW
NdrClientCall3
RpcServerInqBindings
NdrServerCallAll

api-ms-win-core-com-l1-1-0

CoUninitialize
CoInitializeEx
PropVariantClear
StringFromGUID2
CLSIDFromString
CoTaskMemFree
CoFreeUnusedLibrariesEx
CoSetProxyBlanket
CoInitializeSecurity
CoCreateInstance

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
HeapSize
HeapReAlloc
GetProcessHeap
HeapDestroy

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW
lstrlenW

api-ms-win-core-file-l1-1-0

FileTimeToLocalFileTime
GetFileAttributesW
CreateFileW
QueryDosDeviceW
DeleteFileW

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
LoadStringW
FreeLibrary
GetModuleHandleA
GetProcAddress
FindResourceExW
LoadResource
LockResource
SizeofResource
GetModuleFileNameW
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
LeaveCriticalSection
DeleteCriticalSection
EnterCriticalSection
TryEnterCriticalSection
WaitForSingleObjectEx
SetWaitableTimer
CreateMutexW
CreateEventW
CreateEventExW
InitializeCriticalSectionEx
SetEvent
ResetEvent
CancelWaitableTimer
InitializeCriticalSectionAndSpinCount
WaitForSingleObject

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
GetStringTypeW
MultiByteToWideChar

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TlsAlloc
TlsSetValue
ProcessIdToSessionId
TlsGetValue
TerminateProcess
CreateProcessAsUserW
GetCurrentThreadId
GetCurrentProcessId
GetExitCodeProcess
TlsFree
CreateProcessW
CreateThread
OpenProcessToken
GetStartupInfoW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-debug-l1-1-0

OutputDebugStringA
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExW
RegGetKeySecurity
RegSetKeySecurity
RegSetValueExW
RegCreateKeyExW
RegGetValueW
RegNotifyChangeKeyValue
RegEnumValueW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter

ext-ms-win-shell32-shellfolders-l1-1-0

SHGetSpecialFolderPathW
SHGetFolderPathW

api-ms-win-core-privateprofile-l1-1-0

GetProfileIntW

api-ms-win-core-sysinfo-l1-1-0

GetLocalTime
GetSystemDirectoryW
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-registry-l2-1-0

RegCreateKeyW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-localization-l1-2-0

LCMapStringW
FormatMessageW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-synch-l1-2-1

CreateWaitableTimerW
WaitForMultipleObjects

api-ms-win-core-kernel32-legacy-l1-1-0

WTSGetActiveConsoleSessionId
GetSystemPowerStatus

api-ms-win-security-base-l1-1-0

DuplicateTokenEx
SetTokenInformation
AdjustTokenPrivileges
AddAccessAllowedAceEx
InitializeAcl
CreateWellKnownSid
AllocateAndInitializeSid
GetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetLengthSid
SetSecurityDescriptorDacl
AddAce
GetAclInformation
GetAce
FreeSid

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-security-base-l1-2-2

DeriveCapabilitySidsFromName

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

bcrypt

BCryptImportKeyPair
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptOpenAlgorithmProvider
BCryptEncrypt

api-ms-win-service-core-l1-1-0

StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CreateServiceW
OpenServiceW
DeleteService
CloseServiceHandle

api-ms-win-service-winsvc-l1-1-0

ControlService
QueryServiceStatus

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW
K32GetModuleBaseNameW
K32EnumProcessModules
K32EnumProcesses

api-ms-win-appmodel-runtime-l1-1-1

FindPackagesByPackageFamily

api-ms-win-mm-misc-l1-1-0

mmioSeek
mmioAscend
mmioClose
mmioOpenW
mmioCreateChunk
mmioDescend
mmioRead
mmioGetInfo
mmioAdvance
mmioSetInfo
mmioWrite

api-ms-win-core-toolhelp-l1-1-0

Process32NextW
CreateToolhelp32Snapshot
Process32FirstW

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

userenv

CreateEnvironmentBlock

api-ms-win-core-memory-l1-1-0

ReadProcessMemory

api-ms-win-core-threadpool-l1-2-0

SubmitThreadpoolWork
CreateThreadpoolWork

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
GetTraceEnableLevel
TraceMessage
GetTraceEnableFlags
RegisterTraceGuidsW

setupapi

SetupDiGetDevicePropertyW
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInstanceIdW
SetupDiGetDeviceRegistryPropertyW
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList

wtsapi32

WTSQueryUserToken
WTSRegisterSessionNotification

kernel32

WriteProfileStringW
WinExec

user32

SetTimer
SetWinEventHook
FindWindowExW
SendMessageW
TranslateMessage
GetMessageW
CreateWindowExW
RegisterDeviceNotificationW
ShowWindow
RegisterClassW
UnhookWindowsHookEx
CallNextHookEx
SendInput
LoadCursorW
LoadIconW
DefWindowProcW
GetClassNameA
KillTimer
UnregisterDeviceNotification
SetWindowsHookExW
DispatchMessageW
UnhookWinEvent

advapi32

DeregisterEventSource
RegisterEventSourceW
ReportEventW
GetUserNameW

ole32

CoInitialize

avrt

AvRevertMmThreadCharacteristics
AvSetMmThreadCharacteristicsW

ntdll

NtQueryInformationProcess

oleacc

AccessibleObjectFromEvent

wininet

InternetCloseHandle
InternetOpenW
InternetReadFile
InternetOpenUrlW

api-ms-win-crt-runtime-l1-1-0

_set_app_type
_seh_filter_exe
_configure_wide_argv
_errno
_get_wide_winmain_command_line
_initialize_onexit_table
exit
_invalid_parameter_noinfo
_exit
_c_exit
_register_thread_local_exe_atexit_callback
_crt_atexit
_register_onexit_function
_cexit
abort
_initterm_e
_initterm
_invalid_parameter_noinfo_noreturn
terminate
_initialize_wide_environment

api-ms-win-crt-string-l1-1-0

wcscpy_s
islower
_wcsupr_s
wcstok_s
isupper
strcpy_s
iswspace
wcscat_s
wcsncmp
_wcsicmp
towupper
strcmp
wmemcpy_s
strcspn
wcsnlen
__strncnt
_wcsdup

api-ms-win-crt-stdio-l1-1-0

fflush
fsetpos
__stdio_common_vswprintf
__stdio_common_vswprintf_s
ungetwc
fputc
fputs
__stdio_common_vfwprintf
__stdio_common_vfprintf_s
__stdio_common_vfprintf
fputwc
_wfsopen
fseek
fputws
fgets
fclose
fgetpos
fgetc
_fseeki64
__stdio_common_vsprintf
_get_stream_buffer_pointers
fgetwc
__stdio_common_vsprintf_s
_flushall
fwrite
__acrt_iob_func
ungetc
__p__commode
_wfopen_s
setvbuf
_set_fmode

api-ms-win-crt-heap-l1-1-0

free
malloc
_free_base
realloc
_recalloc
_malloc_base
calloc
_calloc_base
_set_new_mode
_callnewh

api-ms-win-crt-convert-l1-1-0

wcstoul
_wtoi
wcstol

api-ms-win-crt-math-l1-1-0

powf
asinf
atan2f
log10f
frexp
__setusermatherr

api-ms-win-crt-locale-l1-1-0

localeconv
___mb_cur_max_func
___lc_codepage_func
___lc_locale_name_func
_configthreadlocale
__pctype_func
setlocale
_unlock_locales
_lock_locales

api-ms-win-crt-multibyte-l1-1-0

_mbschr
_ismbblead
_mbsstr

shlwapi

PathFileExistsW

api-ms-win-core-rtlsupport-l1-1-0

RtlUnwindEx
RtlPcToFileHeader
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-crt-filesystem-l1-1-0

_lock_file
_unlock_file

Sections

.text
Size: 463KB - Virtual size: 462KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 279KB - Virtual size: 279KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a8395452123ba24352fb5f4517ada7d3

Code Sign

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

0d:94:73:e0:01:50:bc:5e:b4:7f:29:a1:0d:cc:dd:bdCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41Certificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

33:00:00:00:85:7f:83:dc:2a:6c:a9:79:b8:00:00:00:00:00:85Certificate

Extended Key Usages

61:0b:aa:c1:00:00:00:00:00:09Certificate

Key Usages

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1Signer

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

oleaut32

rpcrt4

api-ms-win-core-com-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

ext-ms-win-shell32-shellfolders-l1-1-0

api-ms-win-core-privateprofile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-registry-l2-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-security-base-l1-2-2

api-ms-win-security-provider-l1-1-0

api-ms-win-core-registry-l1-1-1

bcrypt

api-ms-win-service-core-l1-1-0

api-ms-win-service-management-l1-1-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-service-management-l2-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-appmodel-runtime-l1-1-1

api-ms-win-mm-misc-l1-1-0

api-ms-win-core-toolhelp-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

userenv

api-ms-win-core-memory-l1-1-0

61:20:4d:b4:00:00:00:00:00:27
Certificate

0d:94:73:e0:01:50:bc:5e:b4:7f:29:a1:0d:cc:dd:bd
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

33:00:00:00:85:7f:83:dc:2a:6c:a9:79:b8:00:00:00:00:00:85
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1
Signer

e0:8f:dd:fc:3e:00:06:ef:a1:e7:a4:93:ee:6b:cc:c3:1e:f0:79:cb:7f:4b:5a:33:08:f3:3e:93:14:da:8a:b1
Signer

.text
Size: 463KB - Virtual size: 462KB

.rdata
Size: 279KB - Virtual size: 279KB

.data
Size: 10KB - Virtual size: 19KB

.pdata
Size: 23KB - Virtual size: 22KB

.rsrc
Size: 36KB - Virtual size: 36KB

.reloc
Size: 6KB - Virtual size: 5KB